Bugtraq mailing list archives

Re: ftpd: the advisory version


From: admin () RNC RU (Kasatenko Ivan Alex.)
Date: Thu, 29 Jun 2000 11:55:21 +0400


Hello!

On Wed, Jun 28, 2000 at 10:55:19PM +0200, Sebastian wrote:
Hi.

So this is still unsafe:

void
func_weak (char *domain)
{
      unsigned char   buff[2000];
      size_t          len = domain[0];

      strncpy (&buff[0], &domain[1], len);
      buff[1999] = '\x00';
}


It *is* safe, as far as the char type is concerned.
And len cannot fall below zero and cannot grow above
255. (0 <= char <= 255, on most platforms)
The size of buff is much more than 255. So this code
is safe, in my opinion.

The problem may reveal itself only on computers where
char type is signed by default.

*wave*,
        John <skywriter () rnc ru>


Current thread: